Incorrect Rule: java/missing-no-arg-constructor-on-serializable

[ben-manes]

codeql/java/ql/src/Likely Bugs/Serialization/MissingVoidConstructorsOnSerializable.ql

Lines 2 to 5 in c95f8d7

	* @name Serializable but no void constructor
	* @description A non-serializable, immediate superclass of a serializable class that does not
	* itself declare an accessible, no-argument constructor causes deserialization to
	* fail.

This rule does not take into consideration the Serialization Proxy pattern. This approach is recommended in Effective Java, a reference this rule's explanation points to. The proxy pattern is both a simplification and protection from security threats by reconstructing the object from the data elements, using readResolve to replace the output with a new instance, rather than trying to rehydrate the object directly.

While ideally this rule would understand this pattern, it is okay if a false positive yet it recommends that as the solution. A less aware developer might remove this security protection to comply or not be nudged to implement that better approach if a true positive.

[jketema]

Hi @ben-manes,

Thanks for your observation. I've relayed this to the CodeQL Java engineering team.